Analysis
-
max time kernel
101s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-09-2022 06:49
Static task
static1
Behavioral task
behavioral1
Sample
be182d3e8d85db133402ea4222581e8cb19285ff10dedb7466731fb6a33c2d81.xlsm
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
be182d3e8d85db133402ea4222581e8cb19285ff10dedb7466731fb6a33c2d81.xlsm
Resource
win10v2004-20220812-en
General
-
Target
be182d3e8d85db133402ea4222581e8cb19285ff10dedb7466731fb6a33c2d81.xlsm
-
Size
638KB
-
MD5
4dbc8803e63f1f49fc16a104022b38ac
-
SHA1
503045dc987667508057788309d2bd27606de0c0
-
SHA256
be182d3e8d85db133402ea4222581e8cb19285ff10dedb7466731fb6a33c2d81
-
SHA512
6cf671b68d79e4f56c5a8da84008dbf0ebe56fe3aeadef38fca8b52a136ccf769c8713114bcef2ea94041b335c688af3a43020d6186f13bef9a058df02902942
-
SSDEEP
12288:iDIvwq6idGvVybLfC71IwqUhoZFV27KuLhnh+w0PYBNb0M6xxzYvmD4:hAd2etKOh+jwNA7rD4
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 4632 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 15 IoCs
Processes:
EXCEL.EXEpid process 4632 EXCEL.EXE 4632 EXCEL.EXE 4632 EXCEL.EXE 4632 EXCEL.EXE 4632 EXCEL.EXE 4632 EXCEL.EXE 4632 EXCEL.EXE 4632 EXCEL.EXE 4632 EXCEL.EXE 4632 EXCEL.EXE 4632 EXCEL.EXE 4632 EXCEL.EXE 4632 EXCEL.EXE 4632 EXCEL.EXE 4632 EXCEL.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
EXCEL.EXEdescription pid process target process PID 4632 wrote to memory of 5008 4632 EXCEL.EXE splwow64.exe PID 4632 wrote to memory of 5008 4632 EXCEL.EXE splwow64.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\be182d3e8d85db133402ea4222581e8cb19285ff10dedb7466731fb6a33c2d81.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4632-132-0x00007FFA81510000-0x00007FFA81520000-memory.dmpFilesize
64KB
-
memory/4632-133-0x00007FFA81510000-0x00007FFA81520000-memory.dmpFilesize
64KB
-
memory/4632-134-0x00007FFA81510000-0x00007FFA81520000-memory.dmpFilesize
64KB
-
memory/4632-135-0x00007FFA81510000-0x00007FFA81520000-memory.dmpFilesize
64KB
-
memory/4632-136-0x00007FFA81510000-0x00007FFA81520000-memory.dmpFilesize
64KB
-
memory/4632-137-0x00007FFA7F4B0000-0x00007FFA7F4C0000-memory.dmpFilesize
64KB
-
memory/4632-138-0x00007FFA7F4B0000-0x00007FFA7F4C0000-memory.dmpFilesize
64KB
-
memory/4632-141-0x00007FFA81510000-0x00007FFA81520000-memory.dmpFilesize
64KB
-
memory/4632-142-0x00007FFA81510000-0x00007FFA81520000-memory.dmpFilesize
64KB
-
memory/4632-143-0x00007FFA81510000-0x00007FFA81520000-memory.dmpFilesize
64KB
-
memory/4632-144-0x00007FFA81510000-0x00007FFA81520000-memory.dmpFilesize
64KB
-
memory/5008-139-0x0000000000000000-mapping.dmp